Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

5.
How did I get into this?
I bought an IP camera
Found multiple high severity issues
Notified manufacturer, published blogpost
After one year, no patch available
The question is:
• Now what?
I wanted to solve this generic issue

8.
Assumptions
For the next ~5-10 years, assume
– Your IoT device has horrible security holes
– It won’t receive any patches, ever
For the sake of this presentation, I assumed:
• The IoT device is not intentionally malicious
• Is not preloaded with malware
I know, I am an optimistic guy ¯_(ツ)_/¯

13.
I am safe, I regularly patch all of my IoT
devices
Patches are late by years
Most IoT devices do not get a patch, EVER

14.
Problems with direct IPv4 connection
If your IoT device has an Internet routable IPv4
address, without any firewall port filtering
Just prepare for apocalypse
Seriously, don’t do that
CCTV is OCTV today

21.
NAT is sneaky evil
Due to NAT:
• Users believe they are safe behind home router
NAT
• Developers created ways to connect devices behind
NAT, seamlessly
What could possibly go wrong?
https://youtu.be/v26BAlfWBm8
But, but NATs are good …

30.
IP camera cloud hack
This research is work in progress
– Lot of stuff to fine-tune, research
The camera has an Android app
The app can connect to the IP camera even when
it is behind NAT, no port forward
But how???

38.
Same-Origin Policy (SOP)
“a web browser permits scripts contained in a first
web page to access data in a second web page,
but only if both web pages have the same
origin”
Port, protocol and host has to be the same
Goal
• an ad on webmail won’t be able to access the e-
mails

39.
DNS rebind attack
It is (was) possible to bypass browser same origin
policy
One public and one private IP address for a domain
• Use the public IP in first request, deliver malicious
script
• Use the private IP later, malicious script can access
private IP, and leak data
Cat and mouse game started in 1996
https://www.usenix.org/conference/usenixsecurity13
/technical-sessions/presentation/johns

42.
IoT development guideline in a Utopia
Secure by design
Tested for security
Patch released if security issues are found

43.
Current IoT development guideline in
reality
Secure by design
Tested for security
Patch released if security issues are found
Cheap
Be the first on the market
Linux (Busybox ?) embedded
Webserver or VNC embedded

46.
Moar tips for home users
Private IP addresses can be filtered out of DNS
responses.
– External public DNS servers with this filtering
e.g. OpenDNS
– Local sysadmins can configure the organization's
local nameservers to block the resolution of external
names into internal IP addresses.
– DNS filtering in a firewall or daemon e.g. dnswall
Firefox NoScript ABE feature

47.
“Smart devices will make our life easier”
Maybe in ~2100, but until then, it will make our
life a nightmare